Are 302 redirects visible to the final destination?

Para D

10/28/23, 2:27 PM

Consider the following scenario:

Both https://foo and https://bar redirects the user's web browser to https://destination using the Location header with HTTP response code 302

My question is, is it possible at the https://destination server to recognize, through which server the traffic is redirected from?

177

1 + 0

http

redirection

Score:0

Server

Alex

10/28/23, 6:45 PM

I would say that the question can't be answered clearly, as it depends on exact configuration of a website and the user-agent (browser) used. Long story short: if destination owner does not control foo or bar - then it might be very difficult, if it does - it's easy for the developers to implement.

First of all, you need to specify how the destination server is expected to recognize the request origin. Just a couple of ways (not closed list) here are:

by Referer header;
by GET/POST parameters;
by cookies;
by some more complex and unclear logic.

Referer

For Referer, the answer is the same as for this question, just with the newer HTTP RFC document to consult with.

Long story short:

if both foo and bar explicitly set the Referer header (like here) - it will probably be present in the request to destination (it depends upon the user agent though);
if initial page is retrieved via secured connection, and redirection page is retrieved via unsecure connection - user agent shall not include the header;
if nothing is explicitly specified, then this is upon the user agent's discretion. Many browsers are likely to not include the header, but this is not guaranteed and can change between versions, as RFC does not mandate the behavior here.

GET/POST parameters

If all the servers' owners are aligned, they can use GET/POST parameters to pass the origin information to destination, as described in another thread.

Cookies

If all the servers' owners are aligned, they can use cookies or even some sort of user tracking mechanisms like Google analytics - there might be a way to utilize this knowledge in order to understand where this user came from.

Other options

If destination owner is not having any means to access or influence foo and bar servers, he might still be able to deduce some data from the request by checking all the headers and fields carefully - there is a small chance that foo and bar are, for example, setting some different headers, or redirecting the user to slightly different pages, or exhibiting some other behavior that would allow to track the origin. But this is, of course, not a reliable, if at all possible, solution.

+ 2

vidarlo

10/28/23, 7:01 PM

How can the server set `Referer` header? That's a client-header. And how can they use cookies to track cross site?

Para D

10/29/23, 7:48 AM

@Alex thanks you for spending your time for the explanation +1 for that. I'm also not convinced about the Referrer header. So, going through the answer what I get is, in a "normal" scenario, it's not possible for the destination to figure out the redirects without additional work at the request side.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Are 302 redirects visible to the final destination?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.